Posted
by
timothy
on Tuesday November 19, 2013 @09:44AM
from the maybe-it's-just-coincidental-midget-porn dept.

psychonaut writes "Blogger DoctorBeet discovered that his new LG television was surreptitiously sending information about his TV viewing habits, as well as the names of the files he watched on removable media, to LG's servers. There is an undocumented setting in the TV configuration which supposedly disables this behaviour, but an inspection of the network traffic between the TV and the Internet showed that the TV continues to send the data whether or not the setting is disabled. DoctorBeet contacted LG, but they shrugged the matter off, saying that it's a matter between him and the retailer he bought the TV from."

So, according to their logic, if I came round and kicked their asses, then that's a matter between them and the shop I bought my shoes from?

In this analogy, it depends on the EULA of the shoes you bought.

What they're saying is "you bought this, and accepted the terms and conditions, if you didn't know that it's your problem and take it up with the retailer who didn't tell you about it".

So, if the EULA for the shoes says you're not allowed to come around and kick their asses, then it was the retailer who was supposed to have told you that. And your desire to go around and kick their asses with said shoes is trumped by the fact that you agreed to it.

To me it's a dodgy legal argument, but since courts keep upholding these licenses which in effect say "by using this device you give us the right to do anything we want to, and whatever we like with the data we collect" -- the legal bullshit says "but you consented to us tracking everything you do, it's not our fault".

So, if in this case the shoes you bought had license terms which said you consent to being tracked, or accept that you're not allowed to kick their asses with said footwear... then pretty much yes. Apparently it was up to the retailer to tell you what you've agreed to.

If you refuse to give it, you can't use the product you shelled out money for. So it's consent *under duress*. Which is not real consent.

Out of *policy*, I never read any EULA for any product ever. To read it would be giving it weight. I will just click on anything that makes the thing work, and the only reason I'm clicking on it is to make the thing work, not because of any consent.

One of the nice things is that many websites are as dumb as fuck, and often ask me to agree to things before they let me have access to their pages - and these agreements are in a foreign language I don't understand. I cannot have consented, as I couldn't have even understood what I would be consenting to. That's not just plausible deniability, it's deniability-as-the-null-hypothesis. I just clicked on the button that then led me to where I was trying to go. If the websites don't like that, they are free to 403 me.

I do the same thing - when I buy a house, I never read the terms of the mortgage contract. I just sign on the "give me a house" line. So I'm not bound by the terms of the mortgage since I signed under a duress. It was just what I had to do to buy a house.

I do the same thing - when I buy a house, I never read the terms of the mortgage contract. I just sign on the "give me a house" line. So I'm not bound by the terms of the mortgage since I signed under a duress. It was just what I had to do to buy a house.

Yes, I too buy houses where the purchase contract requires no signature, but merely a mouse click. Or even better, where the contract is INSIDE the house and by the mere fact of removing the key from a sealed envelope and opening the door, I've accepted the mysterious contract that is inside that I did not sign...my opening the door is signature enough.

And if there is some clause in that contract that says the bank will install secret video cameras, too bad, take it up with the previous owner.

The difference of course being the timing of the contract agreement and the value of the object being withheld. With EULAs, they are often after the purchase is completed. It would be like the seller of the house refusing to vacate the house even after you've taken possession of it until you agree to terms that weren't mentioned before the sale or in the original contract. To get your property, you either have to agree to their demands (which would not be binding) or involve the police. Police would care about a trespasser. A EULA preventing you from using the software you bought, not so much.

Oh good grief. My point was about ignoring the terms of a contract that you are presented with, know are legally binding, are knowingly take action signifying consent. The person to whom I was replying stated that was their attitude to all software, including where he's required to give explicit consent to terms presented to him before use, not just shrink-wrapped EULAs.

There are problems with EULAs, and contracts to which you don't know you're agreeing should never be allowed to stand up in court, but a

No, he posted the full text of their response, the relevant part being:

"The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions."

What they're actually saying is that he agreed to the terms and conditions somehow, and it's the retailer's fault that he wasn't aware what they were / that he agreed to them. So really it's just a fancy way of saying 'our asses are covered beyond what legal action you can afford so go away'.

It's a wonder that so many people are using the built-in set top boxes in their so-called smart TVs.

The user interfaces are invariably shit (especially so for any software designed in the far East). And you're stuck with whatever badly designed, misconceived bollocks they force upon you. It's the Sony shit-on-your-paying-customers way of doing things.

Anyway, the whole world is (or should be) treating large displays like TVs as monitors, which screens media pushed from the internet via other devices in your house. DLNA and Chromecast are the way of the future, not built-in TV set top pox.

Actually, Chromecast is not the way of the future (I think you meant "wave"). That's yet another add on device to stick somewhere in the home theater setup, either the TV or the receiver. Those devices should have the innate ability to communicate (with sufficient security) with nearly any other device that may come knocking.

I'm sure that if you read the fine print on the agreements for most (if not all) set top box services like TiVo, Hulu, Netflix, your cable agreements, you'll find that they grant permission to collect viewing data and resell it. It's pure gold to ratings organizations or anyone else wanting to prove how many people are watching one thing or another.

The crux though is you are using their services, I expect things like that. What I do not expect is watching say something from my Samsung BR player that is shared from my computer getting uploaded back to Samsung.

Actually, in the US it's a bit tricky for a Cable TV company to sell/give/distribute your viewing data. They can use it internally, but there's a specific law that prohibits disclosure of that data. The Cable TV Privacy Act of 1984 prohibits cable TV providers from disclosing personally identifiable information, and allows users to view and verify their information. This is somewhat unique. No such rules apply to other communications means. For instance if Verizon wants to publish my browsing habits, as

DLNA and Chromecast are the way of the future, not built-in TV set top pox.

Whatever your DLNA-client — whether it is the TV itself (LG have this capability), or some 3rd-party box — it can do the same sort of "calling home" reporting what you are watching.

Worse! Whereas the documented spying reports only the currently-watched file and is limited to the listing of the currently-inserted USB-stick, with DLNA your entire collection can be POSTed facilitating not only research into your watching habits, but also aiding investigations of copyright-violations, for example.

The only way to be sure is to disable Internet-access — or only allow it to the sites you trust (for whatever reason). (Like YouTube or Netflix — it is unlikely (though entirely possible) for them to do the same kind of snooping into your media-collection.) Unfortunately, doing that will also disable firmware updates...

It doesn't transmit the currently watched filename, it dumps the folder contents asynchronously when accessing the Smart functions. And not all the time, it's possibly newly added files.
I am the blogger who found this, let me know if you would like verification.

Have you actually used DLNA? I personally think it stinks. For a way to get a list of files it is pretty good. For any sort of meta data, thumbs, run time, etc it blows.

yeah, I'd been searching for a decent remote control keyboard for my XBMC (formerly MythTV) box for a while (tried a few 2.4GHz and Bluetooth devices), and never found any I liked (nor do I find the XBMC interface very usable). Then I found out about DLNA and MediaHouse on Android, and now I keep all of our media on the NAS in the basement

My TV is just the monitor for a laptop I bought to be a "settop box" (though it's actually connected with a 50' HDMI cable). My remote is my wireless mouse (and I choose a media player that gives me click-almost-anywhere pause and mousewheel volume control, which I find better than my home theater remote).

1080p makes it all work - I have a real UI, can run any sort of display app (Netflix etc) with the "full PC controls" instead of the annoyingly limited "app controls", and of course playing files from my m

I'd rarther reverse engineer the protocol and then build a 'crap stats generator' which sends insane viewing patterns to LG. You know, just to tilt the balance in another direction, to make their entire stats database worthless and get a few managers fired. Not allowed? Collecting data like that is highly illegal and could cost LG their import license.

Your average consumer doesn't care that their TV is phoning home, or Google is tracking them, or that their cell phones are reporting to Amazon.

We used to be afraid of three-letter government agencies but really, the bigger story is that the average person doesn't care if they're spied on. To them it represents greater convenience in lifestyle as products are tailor-made to their kinks and purchasing habits.

When fascism arrives, it will appear on a Harley with a cheeseburger and a credit card, not wrapped in a flag carrying a Bible.

No, it comes from corporations, by way of any method that might maximize profits. There should be rules against what LG is doing here if this pans out. Rules put in place by the government. And there might in fact be, however that's a matter for the courts since it was probably documented in the owners manual or when you agreed to view content online.

That being said, this is disappointing to hear about LG. Thought they were the last reputable TV maker out there. If this does pan out, I hope there bottom lin

You think totalitarianism doesn't come from above? Who do you think is higher on the political food chain, the consumer or corporations?

You expect consumers to care about privacy, but what does it cost him to care? You almost can't buy a decent TV these days that's not "smart". So he has to put a packet analyzer on the network port and figure out if the thing is phoning home?

No, this a place where the consumer reasonably feels he ought to be protected by government regulation.

Back in 1972 the US Department of Health Education and Welfare developed a landmark report which anticipated a lot of the electronic privacy issues of the following 40 years. The report was prepared under squeaky clean Elliot Richardson, who was shifted from HEW to DoD shortly before the report came out. He was replaced by Caspar Weinberger (later Reagans' Sec'y of Defense, and mixed up with Iran Contra). If you read the report it is capped with a conclusion which doesn't seem to match: we can't really be sure about what's going to happen in the future, so we should avoid regulating any potential privacy abuses by the private sector until they become problems. That's the philosophy which controls the US approach to consumer data privacy to this day. Consumers have to figure out that their data is being abused, then win a political fight against companies who've invested money in the business of exploiting their data.

How do you take away the consumer? Most consumers are either not savvy enough to discover this, not savvy enough to understand the implications of this, or their livelyhoods have been so undermined by both corporations and the government that they can't spare the worry over this issue. The people that should inform the average consumer about these things and the implications of it are now fully profit motivated ratings shills. Not only that, but the profits are ad driven. There will not be a point where

To them it represents greater convenience in lifestyle as products are tailor-made to their kinks and purchasing habits.

So far, LG hasn't done a flash-bang home invasion / shooting / kidnapping based on its surreptitious data stealing. If they did, some significant segment of its customer base would go to the competition.

While I heartily dislike all of the tracking and spying being done to me, I will admit that I would be far more complacent about commercial companies spying on me to generate demographic data and provide more relevant content, i.e. a higher precision Nielsen, than TLAs doing so for the purpose of putting me in prison.

However, with commercial entities specifically tracking an individual to target marketing to them, problems arise. Nothing like an 8 y.o. getting onto Mom's Amazon account to update their Xm

One of the most obnoxiously intrusive three-letter government agencies is the HOA. It's stunning what those petty little organizations think they have the right to dictate. You shall not have the right to paint your own house whatever color you please, let your lawn go unmowed, repair cars in your driveway, use a clothesline, or quite a few other things. Why? Because it might commit the grievous sin of Lowering the Neighbors' Property Values. Never know when a neighbor will notice something and make a

Your average consumer doesn't care that their TV is phoning home, or Google is tracking them, or that their cell phones are reporting to Amazon.

We used to be afraid of three-letter government agencies but really, the bigger story is that the average person doesn't care if they're spied on. To them it represents greater convenience in lifestyle as products are tailor-made to their kinks and purchasing habits.

Do you honestly think the average person knows about the spying or even understands exactly what is happening or how it ultimately affects them? If they knew and understood it as we do I think they'd be as pissed about it as we are. Probably even more so considering how easily riled up the average person is by the talking heads on tv.

People are stupid and always go for the (seemingly) easy solutions presented to them. Even after millennia of documented bloody human history, the common person on the street remains completely ignorant how things work, despite it being glaringly obvious.

"The best argument against democracy is a five-minute conversation with the average voter." -- Winston Churchill

This is part of the pitch to advertisers from the LG video: "Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness."

LG staff apparently speak like robots. Or Michael Caine. Who can only say. A few words. At a time.

Netflix is over HTTPS and the stream from the CDN is DRM'd up the wazoo. The ISP is handled by a $5pcm VPN connection, which incidentally might get you an endpoint in another country getting you access to their Netflix library *wink wink*. Between your box and the Netflix CDN it's all secured.

I'm not too sure about that. Cable TV is controlled by monopolies but people can easily choose between competing streaming services.
Netflix, Amazon, and others provide paid streaming services without any advertisements. If you don't like one you can easily switch to another.
Youtube, Hulu, and networks' own sites like NBC.com stream content for free with advertisements. People aren't going to pay for something they can already get free.

For now, it's filenames. Next will be screenshots. After that, reverse-netflix?

What we need is for the protocol to be reverse-engineered, and then just start posting all sorts of randomized information to the servers, effectively making it useless. Advertisers won't pay for garbage data.

If that's the case, it should be pretty easy to crap-flood them. Does it even need a be from a TV? I presume the TV reports it's identifcation with a serial number or such. So... make up a few valid serial numbers, and spin up a few AZW instances, and for pennies a day their database could be filled with so much invalid and malformed data that they never crawl out from under it. Also, why is the cheif of police watching so much porn?

If I were to build a TV that spied on my customers, I would at least encrypt the traffic. By not encrypting the traffic, this opens up the possibility of a user getting revenge by posting misleading data or even something as evil as an XML bomb. Dumb move by LG.

So, does his TV connect to the internet via a cable modem? Perhaps it's time for someone to market a hardware firewall that you can place between your cable modem and your router to monitor and filter all of your inbound and outbound traffic. I suppose that some routers let you do this. I have an Airport Extreme and it does not give you access to any logs (suggestions as hoe to do this would be welcome).

Once a company gets a network connection to what you do, they're going to track it, analyze it, and try to figure out how to monetize it. And, if requested, they're going to hand it over to law enforcement.

And this is precisely why I have no interest in having my TV connected to the internet.

The easiest way to avoid stuff like this is to stop giving companies a window into everything you do. Because the reality is, they're going to exploit it whenever they can for their own benefit.

Eventually appliances that have an Internet connection will require one. Consoles come to mind, and the only thing one can do is not buy one. It would not be surprising for TV makers to require an Internet connection for some "always on" next-gen DRM.

This DRM could constantly monitor (with facial recognition uploads) how many people are in the room, to shut off a video if more than a certain amount are watching a movie, of it someone banned from a service enters the room.

The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T's and C's at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.

So, once again, it's in the EULA and Terms and Conditions, so we can do any fucking thing we want.

LG decided that it needed to update its user agreement and sent an update that paralyzed my TV. It would no long switch between inputs or do anything useful until I clicked their stupid agreement. They even supplied an email address for question about the process onscreen, but nobody ever responded.I was a good customer for them until that stunt.

Sounds nice, but "return the TV' means somehow finding an appropriate shipping box, filling out the required paperwork and paying to mail it back. If you are lucky you will then eventually get another TV to unpack and set up - and then have to repeat the process. Maybe you "win" and get your money back. The TV company doesn't care - very few of their customers will go to that effort rather than just click on the box, and your return will just be in the "user too stupid to use our TV" category.

This is the general problem with "returning" any sort of high tech product. The cost of the users time to do it is so high that most people simply won't bother - especially when they realize that the competitors product will likely have the same problem.

The first thing a tech at the store would do is hit 'agree', and then call me and tell me the set worked fine and to stop wasting his time.Since they cannot know who agreed or even what jurisdiction the agreement was made in, the entire process was meaningless. I just will not buy any more of their stuff. Or purchase it on behalf of any company I work for.

So how can we prevent this from happening? I haven't read the T&Cs but one thing I am sure about is that I own my router and have absolute jurisdiction of any traffic that I allow to pass, so I have compiled an initial list of internet domains that you can block to stop spying and advertising on TVs that we, as customers have actually paid for.

Is this a surprise to anybody? why do you think all TV vendors are pushing for "Smart TV"? all this metadata could be a huge source of revenue to them in all kinds of areas, from advertising profiling to law enforcement.

Since we have more and more connected devices in our lives, you've got to take extra precautions. First and foremost, if your device doesn't need to be connected to the Internet, just don't. There is no reason your wired printer need Internet access, so block that MAC address for external access. If your device does need it, then make sure that it's in an isolated segment with no raw access to Ethernet frames from other systems in your house, and if it's WiFi-enabled, make sure you have guest isolation turned on. Then, setup a proxy, transparent or not, to make sure you have the chance to monitor that traffic for unexpected surprises. If you can, whitelist some specific sites that your application needs to access, like Netflix or VUDU for example and block access to everything else.

Finally, why use apps in the TV when you can have excellent open source software provide you with content, like XBMC or MythTV?

Yes. Thank you. I don't understand why there is so little in the way of outbound port and IP control on home routers. You have to install one of the open source WRT packages and know how to maintain iptables to even run a wifi access point safely, these days.

Spamming them to death with garbage data would be the best way to take control of the issue. Since the information is unencrypted, posting gibberish data to their server will be a breeze. It would be even better to have a registry of device IDs that people can opt-in so that many people can be spamming them on behalf of other device IDs. Better yet is if the device IDs are serial, then the whole range can be randomly spammed. It doesn't have to go to the point of DDOSing them. Just throwing some bad data at them would be enough to totally screw up their ability to mine / sell that data.

I think it's important to point out that the URL that the data is being POSTed to doesn't in fact exist, you can see this from the HTTP 404 response in the next response from LG's server after the ACK.

However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored.

LG doesn't need to implement a valid page for the URL to get the data. The POST is logged on their servers and the 404 gives them deniability if this matter ever draws an executive out to testify in front of legislators.

LG is in felony violation of the CFAA. [wikipedia.org] They're accessing a computer without authorization, and that computer is being used in interstate commerce (commercials are part of commerce), as would be, say, Netflix.

You mean their attempt at an unconscionable contract of adhesion? Meh. Whenever one of those things appears on my screen, I cover it with a post-it note saying basically "By clicking "accept," I agree to nothing. If you don't agree to that, don't accept my click."

Remember that you can only get *actual* damages in small claims and you will need proof of these costs. Also, you are going to spend a LOT of money going to court because you have to get a process server to hand the lawsuit to LG for small claims, THEN (assuming you win) you will have to sue again to collect the debt in a jurisdiction where LG has something you can actually take (paying the process server there). With filing fees and paying the process servers, you are going to be out a chunk of cash (north

Probably the long term answer is a solid internal firewall, or putting the smart TV on its own subnet. Eventually all TVs will be "smart" ones, perhaps even not working unless they have an always-on connection, so I can see emulators being written to make the TV think its phoning home, except it is just communicating with a fancy/dev/null.